Unable to decrypt credentials file when using pass backend

Question

Unable to decrypt credentials file when using pass backend

doolio opened this issue 8 months ago · comments

I am using the latest release of AWS Vault

Yes, v7.2.0 installed via asdf.

$ aws-vault --version
v7.2.0

I have provided my ~~.aws/config (redacted if necessary)~~ AWS_CONFIG_FILE="${XDG_CONFIG_HOME}/aws/config"

[default]
region = us-east-1
output = json

[profile iamadmin-saa-mgmt]

[profile iamadmin-saa-prod]

I also have the following environment variables set:

AWS_VAULT_BACKEND="pass"
AWS_VAULT_PASS_PREFIX="aws-vault"  # set because I already have an existing password-store

My profile credentials are stored in

~/.password-store/aws-vault/iamadmin-saa-mgmt
~/.password-store/aws-vault/iamadmin-saa-prod

$ aws-vault list
Profile                  Credentials              Sessions                 
=======                  ===========              ========                 
default                  -                        -                        
iamadmin-saa-mgmt        iamadmin-saa-mgmt        -                        
iamadmin-saa-prod        iamadmin-saa-prod        -

I have provided the debug output using aws-vault --debug ~~(redacted if necessary)~~

I checked #686 and I already had $GPG_TTY=$(tty) set and exported so not the same issue. Now my primary GPG key is stored in a Trezor model-T and am prompted on it when I need to decrypt a file in my password-store. This works well when not using aws-vault because my password-store was initialised with my TREZOR-based GPG identity.

However, you can see from the aws-vault command output above it is not working when aws-vault is in the loop. What is the significance of the --prompt flag? I understand from #1185 one use to be able to set this to "pass". Could the removal of this option be why I don't get prompted on my hardware based token.

I don't think the mfa_process option will work as I'm not using pass to generate an otp. I have MFA access set up on my two profiles and am using a software based MFA device. If I include the mfa_serial identifier in my profile I get prompted to enter the otp but it still doesn't work.

Any ideas? Thanks for your time.

Moiz Ezzy · Answer 1 · Mon Nov 20 2023 22:37:07 GMT+0800 (China Standard Time)

Same for me, i get below error

gpg: XXXXXXXXXXXXXXXXXXXXXXXXX: skipped: No public ke
gpg: [stdin]: encryption failed: No public key
Password encryption aborted.
aws-vault: error: exec: Failed to get credentials for dil-icompass-dev: exit status 1

Niall Dooley · Answer 2 · Mon Nov 20 2023 23:46:29 GMT+0800 (China Standard Time)

Despite what I stated above I think this is some how related to #686. I think aws-vault creates a subshell (for some or all of its subcommands?) where for whatever reason the setting of GPG_TTY is not inherited and so returns "not a tty".

Moiz Ezzy · Answer 3 · Sat Nov 25 2023 01:09:04 GMT+0800 (China Standard Time)

changed AWS_VAULT_BACKEND=pass to AWS_VAULT_BACKEND=file and it worked.

Command =

export AWS_VAULT_BACKEND=file
export GPG_TTY="$( tty )"

Niall Dooley · Answer 4 · Sat Nov 25 2023 01:19:21 GMT+0800 (China Standard Time)

changed AWS_VAULT_BACKEND=pass to AWS_VAULT_BACKEND=file and it worked.

Not for me, but I'm no surprised. How is this then using pass as the backend?